Home > Vulnerability Database > CVE-2025-66022

Mend.io Vulnerability Database

CVE-2025-66022

Good to know:

Date: November 25, 2025

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.

Severity Score

9.6

Related Resources (4)

Url: https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66022

Url: https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w

Url: https://www.mend.io/vulnerability-database/CVE-2025-66022

Severity Score

9.6

Weakness Type (CWE)

Improper Authentication

CWE-287

Inclusion of Functionality from Untrusted Control Sphere

CWE-829

Top Fix

Upgrade Version

Upgrade to version https://github.com/factionsecurity/faction.git - 1.7.1

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66022

Good to know:

Date: November 25, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?